[deliverable/linux.git] / net / netfilter / xt_physdev.c

/* Kernel module to match the bridge port in and
 * out device for IP packets coming into contact with a bridge. */

/* (C) 2001-2003 Bart De Schuymer <bdschuym@pandora.be>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_bridge.h>
#include <linux/netfilter/xt_physdev.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_bridge.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
MODULE_DESCRIPTION("iptables bridge physical device match module");
MODULE_ALIAS("ipt_physdev");
MODULE_ALIAS("ip6t_physdev");

static bool
match(const struct sk_buff *skb,
      const struct net_device *in,
      const struct net_device *out,
      const struct xt_match *match,
      const void *matchinfo,
      int offset,
      unsigned int protoff,
      bool *hotdrop)
{
	int i;
	static const char nulldevname[IFNAMSIZ];
	const struct xt_physdev_info *info = matchinfo;
	bool ret;
	const char *indev, *outdev;
	const struct nf_bridge_info *nf_bridge;

	/* Not a bridged IP packet or no info available yet:
	 * LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
	 * the destination device will be a bridge. */
	if (!(nf_bridge = skb->nf_bridge)) {
		/* Return MATCH if the invert flags of the used options are on */
		if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
		    !(info->invert & XT_PHYSDEV_OP_BRIDGED))
			return false;
		if ((info->bitmask & XT_PHYSDEV_OP_ISIN) &&
		    !(info->invert & XT_PHYSDEV_OP_ISIN))
			return false;
		if ((info->bitmask & XT_PHYSDEV_OP_ISOUT) &&
		    !(info->invert & XT_PHYSDEV_OP_ISOUT))
			return false;
		if ((info->bitmask & XT_PHYSDEV_OP_IN) &&
		    !(info->invert & XT_PHYSDEV_OP_IN))
			return false;
		if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
		    !(info->invert & XT_PHYSDEV_OP_OUT))
			return false;
		return true;
	}

	/* This only makes sense in the FORWARD and POSTROUTING chains */
	if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
	    (!!(nf_bridge->mask & BRNF_BRIDGED) ^
	    !(info->invert & XT_PHYSDEV_OP_BRIDGED)))
		return false;

	if ((info->bitmask & XT_PHYSDEV_OP_ISIN &&
	    (!nf_bridge->physindev ^ !!(info->invert & XT_PHYSDEV_OP_ISIN))) ||
	    (info->bitmask & XT_PHYSDEV_OP_ISOUT &&
	    (!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
		return false;

	if (!(info->bitmask & XT_PHYSDEV_OP_IN))
		goto match_outdev;
	indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
	for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) {
		ret |= (((const unsigned int *)indev)[i]
			^ ((const unsigned int *)info->physindev)[i])
			& ((const unsigned int *)info->in_mask)[i];
	}

	if (!ret ^ !(info->invert & XT_PHYSDEV_OP_IN))
		return false;

match_outdev:
	if (!(info->bitmask & XT_PHYSDEV_OP_OUT))
		return true;
	outdev = nf_bridge->physoutdev ?
		 nf_bridge->physoutdev->name : nulldevname;
	for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) {
		ret |= (((const unsigned int *)outdev)[i]
			^ ((const unsigned int *)info->physoutdev)[i])
			& ((const unsigned int *)info->out_mask)[i];
	}

	return ret ^ !(info->invert & XT_PHYSDEV_OP_OUT);
}

static bool
checkentry(const char *tablename,
		       const void *ip,
		       const struct xt_match *match,
		       void *matchinfo,
		       unsigned int hook_mask)
{
	const struct xt_physdev_info *info = matchinfo;

	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
	    info->bitmask & ~XT_PHYSDEV_OP_MASK)
		return false;
	if (info->bitmask & XT_PHYSDEV_OP_OUT &&
	    (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
	     info->invert & XT_PHYSDEV_OP_BRIDGED) &&
	    hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
			 (1 << NF_IP_POST_ROUTING))) {
		printk(KERN_WARNING "physdev match: using --physdev-out in the "
		       "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
		       "traffic is not supported anymore.\n");
		if (hook_mask & (1 << NF_IP_LOCAL_OUT))
			return false;
	}
	return true;
}

static struct xt_match xt_physdev_match[] __read_mostly = {
	{
		.name		= "physdev",
		.family		= AF_INET,
		.checkentry	= checkentry,
		.match		= match,
		.matchsize	= sizeof(struct xt_physdev_info),
		.me		= THIS_MODULE,
	},
	{
		.name		= "physdev",
		.family		= AF_INET6,
		.checkentry	= checkentry,
		.match		= match,
		.matchsize	= sizeof(struct xt_physdev_info),
		.me		= THIS_MODULE,
	},
};

static int __init xt_physdev_init(void)
{
	return xt_register_matches(xt_physdev_match,
				   ARRAY_SIZE(xt_physdev_match));
}

static void __exit xt_physdev_fini(void)
{
	xt_unregister_matches(xt_physdev_match, ARRAY_SIZE(xt_physdev_match));
}

module_init(xt_physdev_init);
module_exit(xt_physdev_fini);
Commit	Line	Data
1da177e4 LT	1	/* Kernel module to match the bridge port in and
	2	* out device for IP packets coming into contact with a bridge. */
	3
	4	/* (C) 2001-2003 Bart De Schuymer <bdschuym@pandora.be>
	5	*
	6	* This program is free software; you can redistribute it and/or modify
	7	* it under the terms of the GNU General Public License version 2 as
	8	* published by the Free Software Foundation.
	9	*/
	10
	11	#include <linux/module.h>
	12	#include <linux/skbuff.h>
deb47c66	13	#include <linux/netfilter_bridge.h>
2e4e6a17 HW	14	#include <linux/netfilter/xt_physdev.h>
2e4e6a17 HW	15	#include <linux/netfilter/x_tables.h>
1da177e4	16	#include <linux/netfilter_bridge.h>
1da177e4 LT	17
	18	MODULE_LICENSE("GPL");
	19	MODULE_AUTHOR("Bart De Schuymer <bdschuym@pandora.be>");
	20	MODULE_DESCRIPTION("iptables bridge physical device match module");
2e4e6a17 HW	21	MODULE_ALIAS("ipt_physdev");
2e4e6a17 HW	22	MODULE_ALIAS("ip6t_physdev");
1da177e4	23
1d93a9cb	24	static bool
1da177e4 LT	25	match(const struct sk_buff *skb,
	26	const struct net_device *in,
	27	const struct net_device *out,
c4986734	28	const struct xt_match *match,
1da177e4 LT	29	const void *matchinfo,
	30	int offset,
	31	unsigned int protoff,
cff533ac	32	bool *hotdrop)
1da177e4 LT	33	{
	34	int i;
	35	static const char nulldevname[IFNAMSIZ];
2e4e6a17	36	const struct xt_physdev_info *info = matchinfo;
1d93a9cb	37	bool ret;
1da177e4	38	const char indev, outdev;
a47362a2	39	const struct nf_bridge_info *nf_bridge;
1da177e4 LT	40
	41	/* Not a bridged IP packet or no info available yet:
	42	* LOCAL_OUT/mangle and LOCAL_OUT/nat don't know if
	43	* the destination device will be a bridge. */
	44	if (!(nf_bridge = skb->nf_bridge)) {
	45	/* Return MATCH if the invert flags of the used options are on */
2e4e6a17 HW	46	if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
2e4e6a17 HW	47	!(info->invert & XT_PHYSDEV_OP_BRIDGED))
1d93a9cb	48	return false;
2e4e6a17 HW	49	if ((info->bitmask & XT_PHYSDEV_OP_ISIN) &&
2e4e6a17 HW	50	!(info->invert & XT_PHYSDEV_OP_ISIN))
1d93a9cb	51	return false;
2e4e6a17 HW	52	if ((info->bitmask & XT_PHYSDEV_OP_ISOUT) &&
2e4e6a17 HW	53	!(info->invert & XT_PHYSDEV_OP_ISOUT))
1d93a9cb	54	return false;
2e4e6a17 HW	55	if ((info->bitmask & XT_PHYSDEV_OP_IN) &&
2e4e6a17 HW	56	!(info->invert & XT_PHYSDEV_OP_IN))
1d93a9cb	57	return false;
2e4e6a17 HW	58	if ((info->bitmask & XT_PHYSDEV_OP_OUT) &&
2e4e6a17 HW	59	!(info->invert & XT_PHYSDEV_OP_OUT))
1d93a9cb JE	60	return false;
1d93a9cb JE	61	return true;
1da177e4 LT	62	}
	63
	64	/* This only makes sense in the FORWARD and POSTROUTING chains */
2e4e6a17	65	if ((info->bitmask & XT_PHYSDEV_OP_BRIDGED) &&
1da177e4	66	(!!(nf_bridge->mask & BRNF_BRIDGED) ^
2e4e6a17	67	!(info->invert & XT_PHYSDEV_OP_BRIDGED)))
1d93a9cb	68	return false;
1da177e4	69
2e4e6a17 HW	70	if ((info->bitmask & XT_PHYSDEV_OP_ISIN &&
	71	(!nf_bridge->physindev ^ !!(info->invert & XT_PHYSDEV_OP_ISIN))) \|\|
	72	(info->bitmask & XT_PHYSDEV_OP_ISOUT &&
	73	(!nf_bridge->physoutdev ^ !!(info->invert & XT_PHYSDEV_OP_ISOUT))))
1d93a9cb	74	return false;
1da177e4	75
2e4e6a17	76	if (!(info->bitmask & XT_PHYSDEV_OP_IN))
1da177e4 LT	77	goto match_outdev;
1da177e4 LT	78	indev = nf_bridge->physindev ? nf_bridge->physindev->name : nulldevname;
1d93a9cb	79	for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) {
1da177e4 LT	80	ret \|= (((const unsigned int *)indev)[i]
	81	^ ((const unsigned int *)info->physindev)[i])
	82	& ((const unsigned int *)info->in_mask)[i];
	83	}
	84
1d93a9cb JE	85	if (!ret ^ !(info->invert & XT_PHYSDEV_OP_IN))
1d93a9cb JE	86	return false;
1da177e4 LT	87
1da177e4 LT	88	match_outdev:
2e4e6a17	89	if (!(info->bitmask & XT_PHYSDEV_OP_OUT))
1d93a9cb	90	return true;
1da177e4 LT	91	outdev = nf_bridge->physoutdev ?
1da177e4 LT	92	nf_bridge->physoutdev->name : nulldevname;
1d93a9cb	93	for (i = 0, ret = false; i < IFNAMSIZ/sizeof(unsigned int); i++) {
1da177e4 LT	94	ret \|= (((const unsigned int *)outdev)[i]
	95	^ ((const unsigned int *)info->physoutdev)[i])
	96	& ((const unsigned int *)info->out_mask)[i];
	97	}
	98
1d93a9cb	99	return ret ^ !(info->invert & XT_PHYSDEV_OP_OUT);
1da177e4 LT	100	}
1da177e4 LT	101
ccb79bdc	102	static bool
1da177e4	103	checkentry(const char *tablename,
2e4e6a17	104	const void *ip,
c4986734	105	const struct xt_match *match,
1da177e4	106	void *matchinfo,
1da177e4 LT	107	unsigned int hook_mask)
1da177e4 LT	108	{
2e4e6a17	109	const struct xt_physdev_info *info = matchinfo;
1da177e4	110
2e4e6a17 HW	111	if (!(info->bitmask & XT_PHYSDEV_OP_MASK) \|\|
2e4e6a17 HW	112	info->bitmask & ~XT_PHYSDEV_OP_MASK)
ccb79bdc	113	return false;
2bf540b7	114	if (info->bitmask & XT_PHYSDEV_OP_OUT &&
10ea6ac8 PM	115	(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) \|\|
	116	info->invert & XT_PHYSDEV_OP_BRIDGED) &&
	117	hook_mask & ((1 << NF_IP_LOCAL_OUT) \| (1 << NF_IP_FORWARD) \|
601e68e1	118	(1 << NF_IP_POST_ROUTING))) {
10ea6ac8 PM	119	printk(KERN_WARNING "physdev match: using --physdev-out in the "
10ea6ac8 PM	120	"OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
2bf540b7 PM	121	"traffic is not supported anymore.\n");
2bf540b7 PM	122	if (hook_mask & (1 << NF_IP_LOCAL_OUT))
ccb79bdc	123	return false;
10ea6ac8	124	}
ccb79bdc	125	return true;
1da177e4 LT	126	}
1da177e4 LT	127
9f15c530	128	static struct xt_match xt_physdev_match[] __read_mostly = {
4470bbc7 PM	129	{
	130	.name = "physdev",
	131	.family = AF_INET,
	132	.checkentry = checkentry,
	133	.match = match,
	134	.matchsize = sizeof(struct xt_physdev_info),
	135	.me = THIS_MODULE,
	136	},
	137	{
	138	.name = "physdev",
	139	.family = AF_INET6,
	140	.checkentry = checkentry,
	141	.match = match,
	142	.matchsize = sizeof(struct xt_physdev_info),
	143	.me = THIS_MODULE,
	144	},
1da177e4 LT	145	};
1da177e4 LT	146
65b4b4e8	147	static int __init xt_physdev_init(void)
1da177e4	148	{
4470bbc7 PM	149	return xt_register_matches(xt_physdev_match,
4470bbc7 PM	150	ARRAY_SIZE(xt_physdev_match));
1da177e4 LT	151	}
1da177e4 LT	152
65b4b4e8	153	static void __exit xt_physdev_fini(void)
1da177e4	154	{
4470bbc7	155	xt_unregister_matches(xt_physdev_match, ARRAY_SIZE(xt_physdev_match));
1da177e4 LT	156	}
1da177e4 LT	157
65b4b4e8 AM	158	module_init(xt_physdev_init);
65b4b4e8 AM	159	module_exit(xt_physdev_fini);